Federal regulators Thursday established for the first time broad privacy rules giving customers a greater say in how internet providers like Comcast and Verizon share information about their online habits. The new rules, which were fiercely opposed by the telecom industry, come as the overwhelming majority of American adults believe they’ve lost control over how their personal information is collected and used by technology companies.
Under the rules, internet providers must first get your consent before they can use “sensitive” information, or share it with a third party. The types of data covered include key aspects of our digital footprints, such as web browsing history and geo-location, as well as older forms of sensitive information like social security numbers and health and financial records. For the FCC, this model of “opt-in” consent equips customers with a higher degree of control, even as find we ourselves in an age of constant, invisible, and ubiquitous data collection.
The regulations also compel broadband providers to notify customers about the kinds of information they collect, the purpose of that data collection, and to identify the types of third parties that have access to customers’ information.
Only broadband providers will be affected by the rules, not search engines or social networks. But lawmakers and consumer advocates say the regulations are a significant step forward in protecting online privacy. While the Federal Trade Commission has limited power to create privacy rules as it oversees the giants of Silicon Valley, the FCC can impose such regulations on telecom companies after the passage of network neutrality in 2015.
For supporters of the FCC, the move represents a much-needed corrective for companies that connect us to the internet, and establishes broad consumer protections that did not exist as Facebook and Google swelled into empires.
“Before today there were no protections,” said FCC chair Tom Wheeler, who led efforts to set the rules in place. “We are extending to the internet the same kinds of protections that we have for decades extended to the telephone network: The network can’t use the information without the consumer's permission.”
The privacy regulations passed, in a 3-2 vote, with the two Republican Commissioners dissenting. Commissioners Ajit Pai and Michael O’Rielly described the rules as running counter to established privacy regulations and an aggressive overreach posing a burden on internet providers.
Commissioner O’Rielly also criticized the opt-in approach, in which internet companies must get our approval before they can share our data. Citing statistics that indicate people overwhelmingly use a technology's default settings, O’Reilly argued that these new regulations would effectively make privacy decisions for customers, since we’re likely to not pay attention to the default privacy setting or skip past them.
“This isn’t consumer choice it’s recognition of consumer apathy,” O'Reilly said.
Walter McCormick, the president of USTelecom, which represents AT&T, Verizon, CenturyLink and many others said in a statement to BuzzFeed News, “This is a disservice to the goal of providing consumers with consistency in privacy expectations when they use the internet and poses a threat to continuing web innovation.”
But Chair Wheeler framed the privacy rules as upholding a simple principle: consumer information on the web belongs to individuals, not the networks that deliver that information. “It is the consumer’s information,” he said repeatedly. “How it is used should be the consumer’s choice, not the choice of some corporate algorithm.”
Commissioner Jessica Rosenworcel, who voted in favor of the rules, described them as a desperately needed privacy tool, the first in almost a decade to protect individuals against the rush of data collection.
“[Consumers] want privacy, but more importantly they want control,” she said. “They want to control the whiplash from some of these digital forces and take some ownership of what is done with their personal information.”